[tbb-commits] [tor-browser/tor-browser-60.1.0esr-8.0-1] Bug 26353: Prevent speculative connect that violated FPI.

[gk at torproject.org]

commit 1b1c4e4143d57a72e02464ac3bc343bd6d57ec9e
Author: Arthur Edelstein <arthuredelstein at gmail.com>
Date:   Sat Jul 14 08:50:55 2018 -0700

    Bug 26353: Prevent speculative connect that violated FPI.
    
    Connections were observed in the catch-all circuit when
    the user entered an https or http URL in the URL bar, or
    typed a search term.
---
 toolkit/components/remotebrowserutils/RemoteWebNavigation.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/toolkit/components/remotebrowserutils/RemoteWebNavigation.js b/toolkit/components/remotebrowserutils/RemoteWebNavigation.js
index 9ca238359c0f..8f256f41953d 100644
--- a/toolkit/components/remotebrowserutils/RemoteWebNavigation.js
+++ b/toolkit/components/remotebrowserutils/RemoteWebNavigation.js
@@ -72,6 +72,10 @@ RemoteWebNavigation.prototype = {
   },
   loadURIWithOptions(aURI, aLoadFlags, aReferrer, aReferrerPolicy,
                      aPostData, aHeaders, aBaseURI, aTriggeringPrincipal) {
+/*******************************************************************************
+   TOR BROWSER: Disable the following speculative connect until
+   we can make it properly obey first-party isolation.
+
     // We know the url is going to be loaded, let's start requesting network
     // connection before the content process asks.
     // Note that we might have already setup the speculative connection in some
@@ -95,6 +99,7 @@ RemoteWebNavigation.prototype = {
         // reason (such as failing to parse the URI), just ignore it.
       }
     }
+*******************************************************************************/
     this._sendMessage("WebNavigation:LoadURI", {
       uri: aURI,
       flags: aLoadFlags,